The CAE Perspective: Audit Plan Priorities, Keys to Career Success, and Talent Management Strategies

What’s top of mind for chief audit executives right now? Richard Chambers moderates a lively conversation with Shannon Urban (VP& CAE at Hasbro), Diana Pagliarini (EVP & General Auditor at State Street), and Carl Hatfield (Managing Director at Protiviti) that ranges from top internal audit priorities to keys for career success to talent management strategies: 

1. Focus areas on risk-centric audit plans in a time of high risk volatility
2. Skills and habits for career success in internal audit today.
3. Creative approaches to identify, attract, and retain forward-thinking talent.

Watch the full conversation, and read the can’t-miss highlights below.

Flexibility, Opportunity — and Money. Creative Approaches Attracting and Retaining Talent

Shannon Urban, Hasbro: I think what attracts people to a company like ours at Hasbro is flexibility — and that we try to have some fun along the way as well. We work for a toy company, you have to have a little bit of fun, right? We try to do that by providing good work-life balance. I think that’s super critical for everyone today. We operate in a hybrid model coming back from the pandemic. Before Covid, it was a five day a week kind of environment, but we’ve opened that up and said, be where you need to be when you need to be there. We think that we need people to be in the office. We think there’s value in that, so we’re in about two days a week and everyone works from wherever they need to be on those other days. We also have half-day Fridays year round as a company, which doesn’t hurt either.  

  

On the opportunity side — especially in this environment where you can’t always promote everyone when you want to promote them, and you can’t always give everyone the big bonus if your company’s not performing the way you’d like it to — how can we give people opportunities within internal audit to be exposed to different parts of the business, to get hands on with some of our strategic initiatives? For example, building out or driving our implementation of AuditBoard and playing a role in that. So, helping to give them opportunities to continue to develop as professionals and build and flex those other skills besides just core audit skills — we’re finding that’s working. 

Carl Hatfield, Protiviti: One thing we’ve seen implemented a little bit more recently at some large audit shops is resource pooling, where you have more junior folks open to a resource pool where they get to work on many different types of audits. There’s a core skill set, but they also have the opportunity to work on different lines of business, with different people, and on different entities and risk items within the organization. Later, they have the opportunity to graduate that resource pool and expand into further depth within certain areas. 

Diana Pagliarini, State Street: I took this role during the pandemic, and stepping in at a very volatile time I tried to just remind myself to focus on the controllable things, but it’s important to walk the talk. Joining a group of 300 individuals, it took me a year and a half, but I met with every single person one-on-one for half an hour to get to know them a little bit. Then now as every new person comes into our department, they get a one-on-one with me and they get an email the first week from me welcoming them, introducing our strategy, and looking forward to an upcoming conversation. I think retention starts on the first day. 

 

Another thing we noticed is that folks who were really well trained — around the five to seven year mark — were leading our audits and training our people. They were the most in-demand and they had the sharpest spike in turnover. We asked, what was going on there? That’s also the point in the org chart where there’s fewer and fewer jobs going upward. What can we do? I’m running a series of workshops with all of our folks at this level around the world. I keep it to a group of about 15 to 20 so we can have a good interaction. It isn’t about performance, it’s is about development plans — defining activities, experiences, and exposures like working on the AuditBoard project. Things that get them interested, involved, exposed to different people, and put more cards in their hands for their career. These workshops also gives you as a leader an opportunity to demonstrate that you’re committed to them. It’s really tough for the competition to step in — money only goes so far, but when they feel they’re supported it can make a real difference.

Key Areas in the Audit Plan in a Volatile Risk Environment

Diana Pagliarini, State Street: The first thing I’m thinking about is around change: the change that’s coming and the change that’s happened. The great resignation didn’t just affect internal audit, it affected certain businesses. Things perhaps that have been stable for some time may now be disruptive. The steady stuff is worth a look to see, can you get a metric on turnover above a certain level in different parts of the organization? That’s your ongoing risk assessment. I think that’s really a key area of focus and an opportunity both the way forward and the way back.

 

I also think about things like the convergence of risk. If we think about geopolitical risk, you look at concentration of risk, where the footprint of the company is, and then you add to that an operational risk, it’s really different now. Risks don’t behave and stay in their own pillars. They move around, they take on their own life. But that’s an opportunity for us to look at those differently. So I think that that’s really important for us and the sustainability of processes that we’ve seen, that’s a new dynamic all its own. So how do you keep on top of that? 

 

I try to keep in mind, what are the headliner messages in the audit plan? An example of this is a culture audit. You talk to a business head or the CEO about a culture audit, everybody gets nervous. We’ve got so many more risks going on, why are we looking at culture? Well, there’s a framework and there’s certain jurisdictions around the world that have laws on this. This is now the new norm. What I do find is if we’re doing first-time audits, we should make that known to the board when we deliver the plan and to the business heads when we’re talking through our plan and when we’re issuing reports. If this is a first-time audit, we should say that. If you do a first-time audit and they come out well, that’s a strong statement. If it’s a first-time audit and things were bumpy, I’m not sure people would be terribly surprised. But it’s a new kind of call to action. 

Carl Hatfield, Protiviti: Around company transformations and emerging technology, with organizational change management and M&A activity it’s important to understand how the organization is changing and how it will be utilizing some of the newer technologies — cloud, IoT, blockchain, AI. All these newer technologies organizations are starting to roll out, looking at it not just from an overall impact, whether it’s operational or financial, but certainly reputational aspects. 

 

We’re really focused on AI as organizations roll that out, whether it be on insurance claims decisioning system or other areas within the business. Now it’s ChatGPT and what are we doing about that? What’s their policy? How are we protecting against it? Et cetera, et cetera. Those are the types of emerging areas of risk coverage. 

 

Process mining technology is something organizations are looking to adopt both operationally within internal audit to really look at data to see how a process works. Why do we get an invoice and then go create a vendor? That’s probably not the way it’s supposed to work. There’s lots of other examples, but process mining technology is really something that organizations are focused on. 

Shannon Urban, Hasbro: I was joking with someone that I’m not sure why we even bothered to put an audit plan together this year because we go through our process, we do the enterprise risk assessment on behalf of the company. and we build our plan off of that risk assessment in the fall, present it and get it approved by the audit committee in December. I’m going to venture a guess that 40% of it is probably irrelevant right now as I look at what’s happening and just the change in the organization. If there’s one theme or thread that goes through pretty much everything I think we will cover this year in internal audit, it’s that change and transformation. 

 

As we think about our audit plan for this year, the reality for us at Hasbro is, we spend 60% of our time on SOX — that’s way too much time as an organization. One of the primary efforts for us is, how can we change that dynamic? How can we rebalance that need to focus on the internal controls over our financial reporting versus all of the other risks that are really top of agenda for the company broadly? We launched a massive change effort ourselves, to SOX optimization or rationalization, call it what you will, to really try to drive down to the core of what we need to do on SOX and cut out all the noise so that we have more time to focus on the other things we had on our plan, which are really directly tied to some of the key strategies of the organization. 

Looking for more thought leadership? Check out our on-demand webinar library for more leaders and experts discussing timely issues, insights, and experiences.